DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Acknowledgements
This communication is in response to
Application claim amendments filed on 01/11/2021, and 
Authorization for the below examiner’s amendments was given by email by Ms. Myrna M. Schelling (Reg. No. 54,426) on 06/01/2021.

The amendments filed on 01/11/2021 have been entered.
The below claims amendments overcome the USC 112(b) and USC 103 rejections previously set forth in the Office Action mailed on 11/23/2020.

An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Examiner’s Amendment
Note: Proposed amendments marked manually with underlining and 

Abstract
A malicious code detection module identifies potentially malicious instructions in memory of a computing device. The malicious code detection module examines the call stack for each thread running within the operating system of the computing device. Within each call stack, the malicious code detection module identifies the originating module for each stack frame and determines whether the originating module is backed by an image on disk. If an originating module is not backed by an image on disk, the thread containing that originating module is flagged as potentially malicious, execution of the thread optionally is suspended, and an alert is generated for the user or administrator.  

Claims

1. (Currently Amended) A method of detecting malicious code in a computing device comprising a processor executing an operating system and a malicious code detection module, memory, and a non-volatile storage device, the method comprising: 
identifying, by the malicious code detection module, a call stack for a thread of execution within the operating system that includes an originating module and an attribute table; 
assigning, by the malicious code detection module, a unique identifier to the call stack; and 
when the top of the call stack contains a call to an application programing interface of the operating system: 
,
wherein the determining step is performed for additional stack frames in the call stack until a threshold or event is reached, 
wherein the threshold or event is based on stack frames, to be analyzed by the malicious code detection module, that were added to the call stack within a specific time period; and 
generating an alert, by the malicious code detection module, when the attribute table associated with the originating module indicates that the originating module is not backed by a file stored in the non-volatile storage device. 

2. (Cancelled).  
3. (Canceled).  

4. (Original) The method of claim 1, wherein the malicious code detection module is part of a kernel of the operating system.  

5. (Original) The method of claim 1, wherein the malicious code detection module is not part of the operating system.  

6. (Currently Amended) A method of detecting malicious code in a computing device comprising a processor executing an operating system and a malicious code detection module, memory, and a non-volatile storage device, the method comprising: 

assigning, by the malicious code detection module, a unique identifier to the call stack; and 
when the top of the call stack contains a call to an application programing interface of the operating system: 
determining, by the malicious code detection module, the originating module that initiated a stack frame in the call stack,
wherein the determining step is performed for additional stack frames in the call stack until a threshold or event is reached, 
wherein the threshold or event is based on stack frames, to be analyzed by the malicious code detection module, that were added to the call stack within a specific time period; and 
suspending, by the malicious code detection module, a thread of execution containing the originating module when the attribute table associated with the originating module indicates that the originating module is not backed by a file stored in the non-volatile storage device.  

7. (Canceled).  
8. (Cancelled).  
9. (Canceled). 




11. (Original) The method of claim 6, wherein the malicious code detection module is not part of the operating system.  

12. (Currently Amended) A computing device comprising: a processor executing an operating system and a malicious code detection module; memory; and a non-volatile storage device; 
wherein the malicious code detection module comprises instructions for: identifying a call stack for a thread of execution that includes an originating module and an attribute table within the operating system; 
assigning, by the malicious code detection module, a unique identifier to the call stack; and 
when the top of the call stack contains a call to an application programing interface of the operating system: 
determining the originating module that initiated a stack frame in the call stack,
wherein the malicious code detection module further comprises instructions for performing the determining step for additional stack frames in the call stack until a threshold or event is reached, 
wherein the threshold or event is based on stack frames, to be analyzed by the malicious code detection module, that were added to the call stack within a specific time period; and 


13. (Cancelled).  
14. (Canceled). 

15. (Original) The device of claim 12, wherein the malicious code detection module is part of a kernel of the operating system.  

16. (Original) The device of claim 12, wherein the malicious code detection module is not part of the operating system.  

17 - 21. (Canceled).  
  
22. (Previously Presented) The device of claim 12, wherein the malicious code detection module further comprises instructions for: suspending a thread of execution containing the originating module if the originating module is not backed by a file stored in the non-volatile storage device.  

23. (Currently Amended) A method of detecting malicious code in a computing device, the method comprising: 
 an operating system; 
assigning, by  a malicious code detection module, a unique identifier to the call stack; and 
when the top of the call stack contains a system call from an operating system library to an application programing interface of the operating system: 
analyzing, using the processor, the call stack in reverse order in which stack frames were added to the call stack, the analyzing comprising: 
when the call stack does not include a direct call from the thread of execution to the operating system, determining that the thread is non-malicious; 
when the call stack includes a direct call from the thread of execution to an application programming interface of the operating system: 
determining the originating module that initiated a stack frame in the call stack; and when the attribute table associated with the originating module indicates that the originating module is not backed by a file stored in the non-volatile storage device, determining that the thread is , 
wherein the malicious code detection module further comprises instructions for performing the step of determining the originating module that initiated a stack frame in the call stack, for additional stack frames in the call stack until a threshold or event is reached, 
wherein the threshold or event is based on stack frames, to be analyzed by the malicious code detection module, that were added to the call stack within a specific time period.

24. (Currently Amended) The method of claim 23, further comprising, in response to determining that the thread is 

25. (Cancelled).
  
26. (Currently Amended) The method of claim 24, wherein [[a]] the malicious code detection module is part of a kernel of the operating system.  

27. (Currently Amended) The method of claim 24, wherein [[a]] the malicious detection module is not part of the operating system.  

28. (Previously Presented) The method of claim [[2]] 1, further comprising enumerating the call stack and the additional call stacks.  

29. (Previously Presented) The method of claim [[2]] 1, further comprising assigning, by the malicious code detection module, a unique identifier to each of the additional call stacks.  

30. (Previously Presented) The method of claim [[2]] 1, wherein the threshold or event is based on a specified number of stack frames to be analyzed by the malicious code detection module.  



32. (Previously Presented) The method of claim 1, further comprising determining, by the malicious code detection module, a return address for the stack frame.

33. (New) The method of claim 6, further comprising determining, by the malicious code detection module, a return address for the stack frame.

	34. (New) The device of claim 12, wherein the malicious code detection module further comprises instructions for determining a return address for the stack frame

Allowable Subject Matter
Above Claims 1, 4-6, 10-12, 15-16, 22-24. 26-30, and 32-34 are allowed.
The following is a statement of reasons for indication of allowable subject matter.
Cited and relevant prior art of record:
Guidry (US 20160357958 A1),
Salehpour (US 9509697 B1),
Applicant-admitted prior art in the instant application (AAPA) in Figure 4 [0017],
Matthew (US 7085928 B1), and
Chan (US 20140310714 A1).


While the aforementioned prior arts disclose the aforementioned concepts, however, none of the above prior arts, individually or in combination, discloses all the limitations in the manner recited in the independent claims. Specifically, none of the above prior art discloses, in conjunction with the remaining limitations, that a determining step is performed for additional stack frames in the call stack until a threshold or event is reached, wherein the threshold or event is based on stack frames, to be analyzed by the malicious code detection module, that were added to the call stack within a specific time period. Therefore, the above limitations in conjunction with 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BASSAM A NOAMAN whose telephone number is (571)272-2705.  The examiner can normally be reached on Monday-Friday 8:30 AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 
/BASSAM A NOAMAN/Examiner, Art Unit 2497                                                                                                                                                                                                        /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497